ELB Using Weak Ciphers
- Query id: a507daa5-0795-4380-960b-dd7bb7c56661
- Query name: ELB Using Weak Ciphers
- Platform: Crossplane
- Severity: High
- Category: Encryption
- CWE: 326
- URL: Github
Description¶
ELB Predefined or Custom Security Policies must not use weak ciphers, to reduce the risk of the SSL connection between the client and the load balancer being exploited. That means the 'sslPolicy' of 'Listener' must not coincide with any of a predefined list of weak ciphers.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
name: test-listener
spec:
forProvider:
region: us-east-1
defaultActions:
- actionType: forward
forwardConfig:
targetGroups:
- targetGroupArnRef:
name: test-targetgroup
loadBalancerArnRef:
name: test-loadbalancer
port: 80
protocol: HTTP
sslPolicy: TLS_NULL_WITH_NULL_NULL
providerConfigRef:
name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
name: test-listener2
spec:
forProvider:
region: us-east-1
defaultActions:
- actionType: forward
forwardConfig:
targetGroups:
- targetGroupArnRef:
name: test-targetgroup
loadBalancerArnRef:
name: test-loadbalancer
port: 80
protocol: HTTP
sslPolicy: TLS_NULL_WITH_NULL_NULL
providerConfigRef:
name: example
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
name: test-listener
spec:
forProvider:
region: us-east-1
defaultActions:
- actionType: forward
forwardConfig:
targetGroups:
- targetGroupArnRef:
name: test-targetgroup
loadBalancerArnRef:
name: test-loadbalancer
port: 80
protocol: HTTP
sslPolicy: ELBSecurityPolicy-2015-05
providerConfigRef:
name: example
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-ec2
base:
apiVersion: elbv2.aws.crossplane.io/v1alpha1
kind: Listener
metadata:
name: test-listener2
spec:
forProvider:
region: us-east-1
defaultActions:
- actionType: forward
forwardConfig:
targetGroups:
- targetGroupArnRef:
name: test-targetgroup
loadBalancerArnRef:
name: test-loadbalancer
port: 80
protocol: HTTP
sslPolicy: ELBSecurityPolicy-2015-05
providerConfigRef:
name: example